Use a QR code to point users to the Intune Company Portal app for enrollment

Use a QR code to point users to the Intune Company Portal app for enrollment

Quick post here, ever wonder how you can create a QR code that points to the Intune Company Portal in the iOS app store (or any app store), and paste it in an email and send it to your end users? Well it’s super easy to do. Simply search online for a QR code generator. Example: https://www.bing.com/search?q=qr%20code%20generator

When I searched for a QR code generator, a result came up inline of my search results and I pasted the URL that points to the Intune Company Portal in the Apple app store and it generated the QR code below.

If you’re interested, here’s the raw data behind the QR code:

Even better, the Intune Company Portal has 4.5 stars, hey that’s awesome!  Ok shameless plug, however it’s really cool to have such a high rating.

Anyway, theoretically you can do this for any app in an app store, whether they’re Microsoft Office apps, 3rd party apps, one of your published apps, etc.

To save you time, I generated QR codes that point to the Intune Company Portal (or enrollment URL in MacOS case) for all the platforms supported by Microsoft Intune:

iOS                                 Android

        

Windows Store            MacOS

        

Note: MacOS points to https://portal.manage.microsoft.com

Here’s an example email I manually created. Create your own by copying a QR code and generating your own custom emails using your corporate email application such as Outlook.  Your users will love it!  Plus it streamlines their enrollment process.

Here an example of using the built-in camera in iOS to scan the QR code.  As you can see it took me directly to the Intune Company Portal app in the Apple app store.

Intune_iOS_QRCode

 

If you’re intersted, for coporate owned devices Intune supports NFC, QR, and Zero Touch for Android Enterprise already, for more information please visit: https://docs.microsoft.com/en-us/intune/android-enroll

That’s it, I hope you find this valuable when directing your end users to enroll their devices with Microsoft Intune.

Intune MacOS management capabilities

Back in 2015 I wrote a blog about Mac management with Intune, however it’s been a few years and I feel it’s time we re-visit Mac management with Intune to learn more about what’s changed. You’ll soon learn there’s been a significant amount of progress and since my first post Intune now has a lot of native Mac management capabilities built in.

First let’s look at MacOS enrollment options with Intune.

MacOS enrollment options

There are two methods to enroll MacOS with Intune, user driven or using Device Enrollment Program.

User driven enrollment

For user driven enrollment the end user will need to sign into the web based version of the company portal via https://portal.manage.microsoft.com

If the user already had a device registered it will show on the screen, if the Mac is the first device being enrolled, they will see the following:

Once the user selects “Add this one by tapping here” they’ll be prompted to download the Intune Company Portal app.

After the Company Portal is downloaded and installed, open it up and you’ll be asked to sign-in using your corporate credentials. These are the same credentials used to sign into Office 365 (derived from Azure AD).

After sign-in is complete the device will begin the enrollment process.

For more details on user driven Mac enrollment please visit: https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

Apple Device Enrollment Program

The concept of the Apple DEP is to associate devices with an organization and to streamline the enrollment process, similar to enrolling Apple iOS devices. However, enrollment requires a different process by associating an Apple enrollment token with Intune. After the enrollment token is added and enrollment profile is created in Intune and associated with the enrollment token.

During the enrollment profile creation process you’ll be asked to select user affinity (i.e. userless or user associated). Once user affinity is selected, you’ll also select whether or not you’ll allow users to remove the enrollment profile via the “Locked enrollment” setting.  Finally, you’ll customize the setup assistance which allows for hiding setup screen, e.g. Apple Pay, Siri, Registration, etc.

For more details on the Apple enrollment token process with Intune please visit: https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-macos

Conditional access

An exciting feature of Azure AD is the ability to target certain device platforms (e.g. MacOS) and set a series of conditions for access by creating conditional access policies in Azure AD.

Compliance

Azure AD and Intune compliance policies also play a role in access. Step through the compliance policies below to view the restrictions that may be enabled for the device to be compliant.

Device Health

System integrity protection prevents malicious apps from modifying protected files and folders.

Device Properties

Specify which OS version and builds you’ll allow before accessing corporate resources.

System Security

Configured password and password integrity, storage encryption, firewall, and gatekeeper to project against malware.

Actions to take for non-compliance

Take action when devices are not compliant with the compliance policy by sending the user a mail and/or locking the device.

Associating an Intune compliance policy with Azure AD conditional access policy

Create an Azure AD conditional access policy to require the device be compliant to access corporate resources.

Looking at device configuration for MacOS there are a number of settings, and in my opinion, those settings address a lot of organizations requirements for Apple Mac management.

Device features

Device restrictions








Endpoint protection

Looking to protect the device further by configuring the firewall and controlling where apps are installed from? Gatekeep will help with those requirements.


Further configure firewall settings to device what you’ll allow in and which apps are allowed and/or blocked.


Certificates

Intune supports PKCS certificates for general and S/MIME purposes.



Device and user-based certificates are both supported via SCEP


VPN

Many VPN settings are available including 3rd party VPN support.


Make note of On-demand and per-app VPN


Use a proxy server? No problem!


Wi-Fi

Both Basic and Enterprise Wi-Fi profiles are supported with various auth types.


Customize with Apple Configurator

Don’t see a setting in the UI, not to worry as you can create a custom profile using Apple Profile Manager and/or Apple Configurator and upload the payload for delivery through Intune.


App deployment

Both line of business and Office apps are supported right from the UI.


When selecting “Line-of-business app” the MacOS app must be wrapped using the app wrapping tool for Mac which will wrap the app and give it an extension of .intuneMac.

The tool is available on GitHub: https://github.com/msintuneappsdk/intune-app-wrapping-tool-mac

To learn more about Mac app deployment with Intune please visit: https://docs.microsoft.com/en-us/intune/lob-apps-macos

One of my peers Scott Duffey @Scottduf has a great post on this topic: https://blogs.technet.microsoft.com/microscott/deploying-apps-to-macs-using-microsoft-intune/

Note: as of this post only .pkg files are supported nor are conversions from .dmg to .pkg

Microsoft + Jamf partnership

Microsoft has also has a partnership with Jamf. Jamf also provides MacOS management and if your organization currently utilizes Jamf and would like to receive the benefits of integrating Jamf with Intune you can do this today with Jamf Pro. So, what does this mean?

MacOS devices managed by Jamf remain managed by Jamf when Intune comes into the picture (thus are only registered with Intune not enrolled) and integrating Jamf Pro with Intune provides a path for Jamf to send signals in the form of inventory to Intune. Intune will use compliance policies to evaluate the Jamf signals and in turn send signals over to Azure AD stating whether the device is compliant or not. The Azure AD conditional access policy will kick in and based on your configuration of the conditional access policy, will either block or further challenge the user to remediate before access company resources.

For more details about Intune and Jamf integration please visit: https://docs.microsoft.com/en-us/intune/conditional-access-integrate-jamf

Jamf also has a whitepaper about Intune integration: https://www.jamf.com/resources/technical-papers/integrating-with-microsoft-intune-to-enforce-compliance-on-macs/

That’s it for now, however Microsoft is always releasing updates for Intune.  Check back monthly with What’s new in Microsoft Intune and be sure to check which Intune features are under development by visiting: https://docs.microsoft.com/en-us/intune/in-development

Microsoft Intune and Apple Mac Management

The Microsoft Intune team recently announced the ability to enroll and manage the Apple Mac. I’m happy to say that the feature has been deployed as part of the recent Intune release. Today’s post will focus on Mac enrollment and management via Intune.

For details you can read more about the update and what management features are offered for Mac here: http://blogs.technet.com/b/microsoftintune/archive/2015/11/23/introducing-intune-support-for-mac-os-x-management.aspx & https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos

Requirements

  • A Mac running OS X 10.9 or later
  • An Intune Subscription
  • User(s) assigned an Intune license so they can enroll

UPDATED INFORMATION – May 2017

 

Let’s get started

On the Mac navigate to http://portal.manage.microsoft.com

Log in with an Azure Active Directory (Azure AD) user credential (someone who also has an Intune license assigned):

clip_image002

Notice the customization of the login page, this can all be changed via Azure Active Directory in the Azure portal.

clip_image004

Select “This device is either not enrolled or the Company Portal can’t identify it.”

Note: if you cancel out of the enrollment and go back later and don’t see the option to enroll, clear browsing history and close down Safari then reopen Safari, login, and the option should show up again.

clip_image006

Select “ENROLL” to begin the Intune enrollment process.

clip_image008

Select “Install” to install the Intune management profile.

clip_image010

Select “Show Profile” to view more about the profile being installed and select “Install” to continue with the installation. Depending on your settings you may be promoted to type in your Mac account password.

clip_image012

Another install prompt may appear, select “Show Profile” again to show the new information and rights being deployed. When finished reviewing, select “Continue” and “Install”.

clip_image014

Once the profiles are installed you’ll see a screen similar to the following:

image

 

After installation is complete, the enrollment windows in Safari will remain open. Go ahead and close those out and refresh the page that has “My Devices” on it. After the reload is complete, the Mac will show up with a check box.

image

image

image

Select the Mac to view whether or not it’s in compliance:

image


Once Mac’s are enrolled they’ll download and apply policies whether created before or after enrollment.

 

Intune Mac Policies

Policies available for Mac in this release are as follows (more info: http://blogs.technet.com/b/microsoftintune/archive/2015/11/23/introducing-intune-support-for-mac-os-x-management.aspx):

To set up a new Mac policy navigate to http://portal.azure.com select Intune –> Device configuration –> Profiles –> Create profile

image

 

Select the type of Profile you’d like to deploy:

Overview of Mac OS X configuration policies with Intune: https://docs.microsoft.com/en-us/intune-classic/deploy-use/mac-os-x-policy-settings-in-microsoft-intune

 

image

Note: for custom configuration you’ll need to utilize download and utilize Apple Configurator on a Mac: https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12 

 

Classic Intune Portal

clip_image022

In addition to the policies above Intune will track and report on Hardware and Software:

clip_image024

 

Need to deploy apps and go beyond Intune Mac management features?  Have a look at Mac management with System Center Configuration Manager (SCCM).

Need to manage devices beyond Mac? Intune will manage Android, iOS, Windows Phone, and Windows as well. Read more here: https://technet.microsoft.com/en-us/library/jj676587.aspx

Keep an eye out for new Intune updates here: http://blogs.technet.com/b/microsoftintune/default.aspx